On Apr 8, 2009, at 5:59 PM, Jonathan Petersson wrote:
On Apr 8, 2009, at 3:21 PM, Kevin Darcy wrote:
I'm not a big fan of allowing users to enter Resource Records
verbatim.
Most users aren't that sophisticated, or, if they are, they can do
their
nsupdates directly, if they have been given access to the relevant
TSIG key
(how's that for a False Dilemma argument :-)
Again, I have to disagree with that statement. Aside from automated
updates,
even for dynamic zones (zones that allow dynamic updates), our
customers
wouldn't want day-to-day updates being submitted by dynamic update
from user
to DNS server. The reason is that dynamic updates are anonymous -
there's no
audit trail. For compliance reasons, it's valuable to have such
updates
submitted through a tool that logs them (user, timestamp, actions,
user
comment), even if the tool then sends them on to the DNS server via
dynamic
updates.
Not sure if we're talking about the same kind of dynamic update here,
I'm referring to updates controller by update-policy in conjunction
with TSIG keys. Each independent user can have his own key with
applicable restrictions and it's logged accordingly in BIND's
log-files.
OK, that's true. But you have to be very careful not to run into a
situation in which BIND stops logging - you must use a recent version
of BIND (9.3+) and configure log rolling settings (versions and size),
and then have a way to archive the older logs appropriately.
Dynamic updates are invaluable when you have business units who wants
to maintain control of their own zones but aren't allowed to
manipulate data directly on the DNS master servers.
Men & Mice Suite also gives this ability, without having to require
users to understand nsupdate (or TSIG keys). It allows an
administrator to decide who can see which zones, and what they can do
with them once they see them. Users do not have to be given shell
access to the servers, or any access at all outside of Men & Mice Suite.
I'm not trying to argue that you have to switch to our solution to
have proper logging, privilege control, etc. I'm simply trying to
rebut Kevin's opinion that allowing users to enter RR's in standard
form is somehow bad, and using our solution as an example to back up
my opinion. With the right management software looking over their
shoulders, as it were, enforcing proper syntax, enforcing privileges,
and logging all activity, it can be fine.
Chris Buxton
Professional Services
Men & Mice
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
